Survey reveals that security and quality processes are not being followed

Software delivery practices remain “a cause for high concern, risk and financial loss,” according to a February 2011 survey released by Creative Intellect Consulting, a research firm based in the U.K.

The survey included more than 170 professionals from North America, Europe, the Pacific Rim, and Central and South America. Of these individuals, 59% are not following security and quality processes rigorously, and 26% have little or no secure development process. However, change control processes are followed by more than 93%, according to the survey.

“When [developers] are rushing to get [projects] out, security and testing falls to the side,” said Bola Rotibi, research director Creative Intellect Consulting.

She added that there are often gaps between policies regulating the development of secure code and the enforcement of such policies at large development companies. The increasing threat of cybercrime, she said, is going to force companies to think more about secure code now and in the future.

The study found that 62% of respondents lack management support and investment for security improvements across the software delivery life cycle. Sixty-nine percent stated that not having the right culture in their organization was the main barrier to improving software security. The report concluded, “Businesses do not do what management doesn’t support.”

Security, according to Rotibi and the survey, is not a large part of the software development life-cycle plan because those at the executive level in large companies often do not believe it directly affects profit. Rotibi suggested, however, that insecure code (code vulnerable to malware and other threats) could cost companies billions in lost time and, perhaps, stolen information.

Education, Rotibi and the survey said, is important for changing the culture of software security throughout the life-cycle management process and development process.

More than 57% of the respondents claimed that a lack of education and training hampered their ability to produce secure code, according to the survey. “There is a lack of management investment in this side of software development,” Rotibi said.

“As organizations look to software solutions to drive business growth, quality will become an important issue [at every level of the organization],” she added.